SMS-based 2-factor: Good or Bad?

Wired published recently an article about how SMS-based 2-factor authentication is not good. This article is making a buzz, and an article appeared on that topic in Fortune. The basis for these articles is that SMS-based authentication is not associated to something you have (your phone), but with something you are loosely associated to (your phone number).

The article demonstrates how easy it is to hijack’s someone’s phone number. And of course, once this is done, you can get the authentication SMS and get in. The article points to a solution that really makes your phone a second factor, such as the Google Authenticator application. It generates a one-time password every 30 seconds, without depending on any communication: you simply need to run the app.

But SMS-based second factor isn’t that bad, and it is definitely better than nothing, and Wired fails to tell us why:

In the case of a big leak of a few million passwords, any second factor works to protect you against the robots who will check that the password is working before putting it for sale.

However, it doesn’t protect you well from that guy who is chasing YOU. In that case, the SMS is definitely easier to hack than other methods that require physical access.

Unless you are famous or you are being unfriendly to hackers, it is quite unlikely that you will be targeted personally by a hacker (at least these days, this may change in a few years…).

So,if you are using SMS-based 2-factor authentication, you may think about other methods if they are available (Fido is great). But if you don’t use 2-factor authentication at all, please start by using this SMS thing, it will protect you at least against the major leaks that we are seeing these days.

Wondering which services you can protect with 2-factor authentication? Check this page and realize that most of the sites you use can be protected.